I have configured Postfix to work with SASL using plain text, where the former automatically submits a default realm to the latter when requesting authentication.
Assuming the domain name is example.com and the user is foo, here is how I configured it on my Debian system so far.
In the postfix configuration file /etc/main.cf
:
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
The SMTP configuration file /etc/postfix/smtpd.conf
contains:
pwcheck_method: saslauthd
mech_list: PLAIN
The SASL daemon is configured with the sasldb mechanism in /etc/default/saslauthd
:
MECHANIMS="sasldb"
The SASL database file contains a single user, shown by sasldblistusers2
:
foo@example.com: userPassword
The authentication works well without having to provide a realm, as postifx does that for me. However, I cannot find out how to tell the Cyrus IMAP daemon to do the same.
I created a user cyrus
in my SASL database, which uses the realm of the host domain name, not example.com
, for administrative purpose. I used this account to create a mailbox through cyradm
for the user foo
:
cm user.foo
IMAP is configured in /etc/imapd.conf
this way:
allowplaintext: yes
sasl_minimum_layer: 0
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
servername: mail.example.com
If I enable cross-realm authentication (loginrealms: example.com
), trying to authenticate using imtest
works with these options:
imtest -m login -a foo@example.com localhost
However, I would like to be able to authenticate without having to specify the realm, like this:
imtest -m login -a foo localhost
I thought that using virtdomains
(setting it either to userid
or on
) and defaultdomain: example.com
would do just that, but I cannot get to make it work.
I always end up with this error:
cyrus/imap[11012]: badlogin: localhost [127.0.0.1] plaintext foo SASL(-13): authentication failure: checkpass failed
What I understand is that cyrus-imapd
never tries to submit the realm when trying to authenticate the user foo
.
My question: how can I tell cyrus-imapd
to send the domain name as the realm automatically?
Thanks for your insights!
Best Answer
There are some ancient discussions about adding this feature, but apparently there is no way to specify a default authentication realm.
Development of Cyrus IMAP has essentially been stalled for over a decade (1998-2002 was the last spurt of "significant" development). Yes, there are updates still done (the last was 19 Apr 2012 however, over a year ago).
I wouldn't hold my breath on this being added.